dns rebinding

Recently I have done a couple of tests which made me consider DNS rebinding attack in details. Considering relatively large number of "moving parts" involved into the attack, I figured it worth making a checklist which can be used to do this kind of evaluation. Below is the draft which I am working on. In particular I intend to add references and explanations/testing guidelines to the checklist. Not sure about PoC exploits.